配置一个需要认证才能访问的phpmyadmin为例
# mkdir /usr/local/nginx/ca
# cd /usr/local/nginx/ca
# mkdir newcerts private conf server //其中newcerts子目录将存放CA签署(颁发)过的数字证书(证书备份目录)。而private目录用于存放CA的私钥。目录conf只是用于存放一些简化参数
用的配置文件,server存放服务器证书文件。
# vim conf/openssl.conf
内容输入如下
default_ca = foo # The default ca section
[ foo ]
dir = /usr/local/nginx/ca # top dir
database = /usr/local/nginx/ca/index.txt # index file.
new_certs_dir = /usr/local/nginx/ca/newcerts # new certs dir
certificate = /usr/local/nginx/ca/private/ca.crt # The CA cert
serial = /usr/local/nginx/ca/serial # serial no file
private_key = /usr/local/nginx/ca/private/ca.key # CA private key
RANDFILE = /usr/local/nginx/ca/private/.rand # random number file
default_days = 365 # how long to certify for
default_crl_days = 30 # how long before next CRL
default_md = sha256 # message digest method to use
unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
policy = policy_any # default policy
[ policy_any ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = match
localityName = optional
commonName = supplied
emailAddress = optional
[ca]
# openssl genrsa -out private/ca.key
# openssl req -new -key private/ca.key -out private/ca.csr
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:ZHEJIAN
Locality Name (eg, city) []:HANGZHOU
Organization Name (eg, company) [Internet Widgits Pty Ltd]:BYM
Organizational Unit Name (eg, section) []:BYM
Common Name (e.g. server FQDN or YOUR name) []:bym.phpmyadmin.com
Email Address []:admin@bym.com
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:直接回车
An optional company name []:直接回车
# openssl x509 -req -days 365 -in private/ca.csr -signkey private/ca.key -out private/ca.crt
# echo FACE > serial
# touch index.txt
# openssl ca -gencrl -out /usr/local/nginx/ca/private/ca.crl -crldays 365 -config “/usr/local/nginx/ca/conf/openssl.conf”
[server]
# openssl genrsa -out server/server.key
# openssl req -new -key server/server.key -out server/server.csr
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:ZHEJIAN
Locality Name (eg, city) []:HANGZHOU
Organization Name (eg, company) [Internet Widgits Pty Ltd]:BYM
Organizational Unit Name (eg, section) []:BYM
Common Name (e.g. server FQDN or YOUR name) []:bym.phpmyadmin.com
Email Address []:admin@bym.com
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:直接回车
An optional company name []:直接回车
# openssl ca -in server/server.csr -cert private/ca.crt -keyfile private/ca.key -out server/server.crt -config “/usr/local/nginx/ca/conf/openssl.conf”
[client]
# mkdir -p /usr/local/nginx/ca/users/
# cd /usr/local/nginx/ca/users/
# openssl genrsa -des3 -out client.key 2048 (password:123456)
# openssl req -new -key client.key -out client.csr
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:ZHEJIAN
Locality Name (eg, city) []:HANGZHOU
Organization Name (eg, company) [Internet Widgits Pty Ltd]:BYM
Organizational Unit Name (eg, section) []:BYM
Common Name (e.g. server FQDN or YOUR name) []:bym.phpmyadmin.com
Email Address []:admin@bym.com
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:直接回车
An optional company name []:直接回车
# openssl ca -in /usr/local/nginx/ca/users/client.csr -cert /usr/local/nginx/ca/private/ca.crt -keyfile /usr/local/nginx/ca/private/ca.key -out /usr/local/nginx/ca/users/client.crt -config “/usr/local/nginx/ca/conf/openssl.conf”
# openssl pkcs12 -export -clcerts -in /usr/local/nginx/ca/users/client.crt -inkey /usr/local/nginx/ca/users/client.key -out /usr/local/nginx/ca/users/client.p12 (password:1111)
[nginx配置]
server {
listen 443 ssl;
server_name bym.phpmyadmin.com;
index index.html index.htm index.php;
root /var/www/phpMyAdmin/;
charset utf-8;
ssl on;
ssl_certificate /usr/local/nginx/ca/server/server.crt;
ssl_certificate_key /usr/local/nginx/ca/server/server.key;
ssl_client_certificate /usr/local/nginx/ca/private/ca.crt;
ssl_session_timeout 5m;
ssl_verify_client on;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
location ~ .*\.php {
fastcgi_intercept_errors on;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fastcgi.conf;
}
}